Cross-Site Scripting Vulnerability in Cisco Online Help System

Saturday, 17 March 2007

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt.

The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.

Multiple Cisco products are affected because the vulnerable online help system is used by several Cisco products.

The vulnerability exists specifically in the content search feature of the online help system. This feature allows the user to search for specific keywords in the help contents. The search feature is implemented through an HTML form and scripting code.

The vulnerability exists because the search code in the file PreSearch.html (or in the file PreSearch.class, depending of the product) fails to properly sanitize all of the user's input.

The vulnerability is triggered when a search keyword that includes scripting code enclosed by <script> and </script> tags is entered in the text field of the search form. In some cases, the initial text is sanitized, but further text is not, so scripting code after the initial text can also trigger the vulnerability. For example: "some text <script>alert('I am a script')</script>".

User intervention is required for an attacker to be able to successfully exploit this vulnerability: an attacker must be able to trick a user into following a malicious, specially crafted, URL. In some cases, the user must be authenticated to the web interface offered by the product for management or regular use.

The following Cisco products are affected by this vulnerability (all versions are affected unless a specific version is explicitely mentioned):

In some cases it is possible to eliminate the vulnerability by removing or renaming the files PreSearch.html and PreSearch.class (if they exist - use your operating system's file search feature to locate them.) Please note that this workaround is not applicable to appliances and other products where direct access to the file system is not available, and that by removing or renaming these files it will no longer be possible to search the product's online help contents.

For additional information on Cross-Site Scripting (XSS) attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat Vectors", available at:

The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this document.

This issue was independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The original reports were for the Cisco CallManager and for the Cisco VPN Client, respectively. Further investigation revealed a number of additional affected products. We would like to thank Erwin Paternotte, Fox-IT, and Cassio Goldschmidt for bringing this issue to our attention and for working with us towards coordinated disclosure of the issue.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.